Allowing a User to Access Another User's Exchange 2003 Mailbox

Sometimes a manager, co-worker, or assistant needs to access another user's mailbox. I'll discuss three recommended methods you can use to achieve this in Microsoft Outlook 2010 and Outlook 2003, and Microsoft Exchange Server 2003. I'll also let you know about some methods to avoid. To demonstrate these methods, let's say that Bob (i.e., user1) needs access to the mailbox of Sally (i.e., user2).

Method 1

One way to give Bob access to Sally's mailbox is to use delegation, which can be achieved without the involvement of an administrator. First, Sally needs to give Bob access to her mailbox. In Outlook 2003, this is done by choosing Options on the Tools menu, selecting the Delegates tab, and clicking the Add button, as shown in Figure 1. (In Outlook 2010, it's done by selecting Info on the File tab, clicking Account Settings, choosing Delegate Access, and clicking Add.)

Clicking Add spawns the Add Users dialog box. Sally just needs to highlight Bob's Active Directory (AD) username, click the Add button, and click the OK button. This brings up the Delegate Permissions dialog box shown in Figure 2. In it, Sally can configure the permissions she wants to give Bob for each of the following folders: Calendar, Contacts, Inbox, Journal, Notes, and Tasks.

After Sally has given Bob delegate permissions, Bob can access Sally's mailbox in his Outlook client. To do so, he needs to select Open on the File menu and click the Other User's Folder option. In the dialog box shown in Figure 3, Bob can then click the Name button, select Sally's AD username, and select the folder he wants to access.

When Bob replies to Sally's email, the email reply will include "on behalf of" in the From field. Figure 4 shows an example of this.

The main advantages to Method 1 are that an administrator doesn't need to be involved and users can easily understand what permissions they're giving to other users. The disadvantage is that Bob can access only six folders (i.e., Calendar, Contacts, Inbox, Journal, Notes, and Tasks) and only one folder at a time.

Method 2

Another way to give Bob access to Sally's mailbox is to manually add Bob's AD username (user1) to Sally's Send on behalf permissions using either the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in or the Server Management console in Windows Server Essentials (formerly named Small Business Server). This method requires the involvement of an administrator, but not Bob or Sally.

Here are the steps that you or another administrator should follow to add Sally's AD username in the Active Directory Users and Computers snap-in:

Expand the appropriate domain and click the appropriate Users folder to open it. Double-click Sally's entry in the Users folder to open the Properties dialog box for Sally.

In Sally's Properties dialog box, select the Exchange General tab and click the Delivery Options button to open the Delivery Options dialog box. In the Send on behalf section, click the Add button. This will spawn the familiar AD selection dialog box in which you can select or enter an AD user or group. In this case, select Bob's AD username and click OK. You'll now see Bob's AD username in theGrant this permission to box, as shown in Figure 5. Click the OK button to close the Delivery Options dialog box.

Warning: If the Mailbox Rights tab contains only the SELF entry in the Group or user names box, don't add or edit any AD user. Immediately click the Cancel button and see the Microsoft article "Mailbox Rights for New Users Shows Only Self" for corrective action before continuing to the next step.

Assuming that the Group or user names box doesn't contain only SELF, click the Add button to bring up the AD selection dialog box. Select or enter Bob's AD username and click OK. Bob's AD username (i.e., user1) will now appear in the Group or user names box, as shown in Figure 6.

Highlight Bob's AD username in the Group or user names box. In the Permissions for User1 section, select the Full mailbox access check box. Click the OK button to close the Permissions dialog box.

After these steps are performed, Bob can access Sally's mailbox through the Other User's Folder option in his Outlook client. Like with Method 1, the email replies made by Bob to Sally's emails will include "on behalf of" in the From field.

Method 2 has the same disadvantage as Method 1. Bob can access only six folders (i.e., Calendar, Contacts, Inbox, Journal, Notes, and Tasks) and only one folder at a time.

Method 3

A third way to give Bob access to Sally's mailboxis to add Sally's Exchange profile to Bob's Windows Mail Profile. This method requires the involvement of an administrator, but not Bob or Sally (as long as the administrator has access to Sally's desktop). Here are the steps that you or another administrator should perform:

Grant Bob the Send on behalf and Full mailbox access permissions for Sally's mailbox using the Active Directory Users and Computers snap-in, following steps 1 through 6 in the "Method 2" section.

Make sure that Bob is an Exchange user.

Warning: If Bob isn't an Exchange user and an Exchange Profile is added to his Windows Mail Profile, Bob will lose various Outlook settings, including Rules and Alerts. In addition, the Outlook Calendar will be moved to the Exchange Calendar.

On Bob's PC, open the Control Panel and click the Mail icon. (If this icon isn't visible, change the View by option to either Large icons or Small icons.) Alternatively, you can access the Control Panel Mail applet by running the command

control mlcfg32.cpl

from Cmd.exe.

In the Mail Setup dialog box, click the Show Profiles button in the Profiles section. This will open the Mail dialog box, which contains only the General tab. A box labeled The following profiles are set up on this computer will already contain a highlighted profile called Default, Exchange, or some other name that was created by the person who originally configured Outlook as an Exchange client. Click the Properties button for the appropriate profile to open the Mail Setup dialog box for that profile.

In the Mail Setup dialog box, click the E-mail Accounts button to open the Account Settings dialog box. On the E-mail tab, highlight Microsoft Exchange Server and click the Change option in the tab's header. (Don't click the Change Folder button at the bottom.)

In the Change Account dialog box, click the More Settings button and select the Advanced tab. In the Mailboxes section, click the Add button.

In the Add User dialog box that appears, add Sally's Exchange profile using her short Windows user logon name and click OK. (Note that there's no lookup functionality available like you'd find in the Active Directory Users and Computers snap-in.) The Mailboxes section will then show her AD display name, as Figure 7 shows. Don't click the OK button just yet.

In the Cached Exchange Mode Settings section, leave the Use Cached Exchange Mode check box clear. If this option is enabled, Sally's mailbox will be cached locally on Bob's PC. This will not only generate a lot of network traffic but also take up disk space on Bob's PC and increase backup time.

Click OK to exit the Advanced tab of the More Settings dialog box.

In the Change Account dialog box, click the Next button at the bottom to continue. In the Congratulations dialog box, click the Finish button.

Click the Close button in the Account Settings and Mail Setup dialog boxes. In the Mail dialog box, click the OK button.

Now when Bob opens his Outlook client, he'll see his mailbox and Sally's mailbox, as Figure 8 shows.

As in Method 1 and Method 2, the email replies made by Bob to Sally's emails will include "on behalf of" in the From field. When Bob replies to Sally's emails, the replies are stored in Sally's Sent Items. Although users might not expect this, it's logical to store them there.

Method 3 offers two important advantages. First, Bob has full access to all of Sally's Outlook folders (not just the Calendar, Contacts, Inbox, Journal, Notes, and Tasks folders). Second, Bob can use the full functionality of the Outlook client to manage Sally's mailbox.

Methods to Avoid

There are two more ways to give Bob access to Sally's mailbox, both of which I don't recommend:

Using Microsoft Outlook Web Access (OWA). With this method, Sally would give Bob her Windows logon credentials and Bob would use those credentials to open her mailbox in OWA. Although this approach takes the least amount of effort to accomplish, it's at the complete expense of network security. In addition, only one mailbox can be open at a time, no matter which web browser is being used. Evidently, OWA allows only one mailbox connection per PC ID or IP address. Finally, OWA isn't as feature rich as the Outlook client.

Using the Sharing option. With this method, Sally would right-click her mailbox and select the Sharing option in Outlook 2003. However, this brings up a dialog box whose options are very confusing to configure. (In Outlook 2010, the same dialog box is reached by right-clicking the mailbox, clicking Folder permissions, and selecting the Permissions tab.) Plus, Outlook doesn't offer any help on configuring the options in this dialog box, not even when F1 is pressed.

Three Methods Lead to Same Successful Result

Having a manager, co-worker, or assistant manage an absent employee's Exchange email account is commonplace and necessary. Email access can quickly be provided, without compromising the absent employee's entire desktop. There's absolutely no need to share Windows logon passwords just so someone can handle another person's Exchange mailbox. Employees will also appreciate that they don't have to bounce from desk to desk many times a day to respond to absent employees' email messages.

In addition, the "on behalf of" insertion in the From field ensures that the manager, co-worker, or assistant can't use the absent employee's email without his or her knowledge, preventing intentional nefarious behavior. The "on behalf of" insertion also prevents confusion in the future as to who actually created the email content.

As you've seen, there are three recommended methods for allowing a user to access another user's Exchange mailbox. Method 1 allows users to delegate authority, albeit with limited access to the absent employee's entire Exchange folder structure. Method 2 provides the same capabilities as Method 1 and might be more appropriate for non-technical-savvy users. For users, Method 3 is just like sitting in the absent employee's chair. Plus, it's the best method for administrators who need complete control. No matter which recommended method you choose, it takes less than three minutes to implement it once you know what you're doing.